[Git][security-tracker-team/security-tracker][master] Mark CVE-2024-58134 and CVE-2024-58135 as ignored for bullseye
Sean Whitton (@spwhitton)
spwhitton at debian.org
Mon May 19 11:42:39 BST 2025
Sean Whitton pushed to branch master at Debian Security Tracker / security-tracker
Commits:
030a93d2 by Sean Whitton at 2025-05-19T11:42:28+01:00
Mark CVE-2024-58134 and CVE-2024-58135 as ignored for bullseye
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -4893,14 +4893,32 @@ CVE-2025-37799 (In the Linux kernel, the following vulnerability has been resolv
CVE-2024-58135 (Mojolicious versions from 7.28 through 9.40 for Perl may generate weak ...)
- libmojolicious-perl <unfixed> (bug #1104633)
[bookworm] - libmojolicious-perl <no-dsa> (Minor issue)
+ [bullseye] - libmojolicious-perl <ignored> (Minor issue, upstream's fix requires newer libcryptx-perl)
NOTE: https://lists.security.metacpan.org/cve-announce/msg/29241187/
NOTE: https://github.com/mojolicious/mojo/pull/2200
+ NOTE: The problem does not occur if the user has configured a
+ NOTE: cryptographically secure HMAC session secret, and upstream
+ NOTE: expects users to already be doing that for production
+ NOTE: deployments. In addition, upstream has installed commit
+ NOTE: c82071556c569a251152892c8cc2fd0ad5a4be54 such that recent
+ NOTE: Mojolicious automatically generates a secure session secret.
+ NOTE: However, that commit requires libcryptx-perl >=0.080, which is
+ NOTE: only in trixie or newer.
CVE-2024-58134 (Mojolicious versions from 0.999922 through 9.40 for Perl uses a hard c ...)
- libmojolicious-perl <unfixed> (bug #1104648)
[bookworm] - libmojolicious-perl <no-dsa> (Minor issue)
+ [bullseye] - libmojolicious-perl <ignored> (Minor issue, upstream's fix requires newer libcryptx-perl)
NOTE: https://lists.security.metacpan.org/cve-announce/msg/29247502/
NOTE: https://github.com/mojolicious/mojo/pull/1791
NOTE: https://github.com/mojolicious/mojo/pull/2200
+ NOTE: The problem does not occur if the user has configured a
+ NOTE: cryptographically secure HMAC session secret, and upstream
+ NOTE: expects users to already be doing that for production
+ NOTE: deployments. In addition, upstream has installed commit
+ NOTE: c82071556c569a251152892c8cc2fd0ad5a4be54 such that recent
+ NOTE: Mojolicious automatically generates a secure session secret.
+ NOTE: However, that commit requires libcryptx-perl >=0.080, which is
+ NOTE: only in trixie or newer.
CVE-2025-4222 (The Database Toolset plugin for WordPress is vulnerable to Sensitive I ...)
NOT-FOR-US: WordPress plugin
CVE-2025-4218 (A vulnerability was found in handrew browserpilot up to 0.2.51. It has ...)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/030a93d278b33244da222cefad71ddeafac6a975
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/030a93d278b33244da222cefad71ddeafac6a975
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250519/49280395/attachment.htm>
More information about the debian-security-tracker-commits
mailing list